As used herein a “threat” comprises malicious software, also known as “malware” or “pestware”, which comprises software that is included or inserted in a part of a processing system or processing systems for a harmful purpose. The term threat should be read to comprise possible, potential and actual threats. Types of malware can comprise, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
A hook (also known as a hook procedure or hook function), as used herein, generally refers to a callback function provided by a software application that receives certain data before the normal or intended recipient of the data. A hook function can thus examine or modify certain data before passing on the data. Therefore, a hook function allows a software application to examine data before the data is passed to the intended recipient.
An API (“Application Programming Interface”) hook (also known as an API interception), as used herein as a type of hook, refers to a callback function provided by an application that replaces functionality provided by an operating system's API. An API generally refers to an interface that is defined in terms of a set of functions and procedures, and enables a program to gain access to facilities within an application. An API hook can be inserted between an API call and an API procedure to examine or modify function parameters before passing parameters on to an actual or intended function. An API hook may also choose not to pass on certain types of requests to an actual or intended function.
A process, as used herein, is at least one of a running software program or other computing operation, or a part of a running software program or other computing operation, that performs a task.
A hook chain as used herein, is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the operating system passes the message to each hook procedure referenced in the hook chain, one after the other. The action of a hook procedure can depend on the type of hook involved. For example, the hook procedures for some types of hooks can only monitor messages, others can modify messages or stop their progress through the chain, restricting them from reaching the next hook procedure or a destination window.
In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (PC), mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device. The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may comprise or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive.
An information source can comprise a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (ie. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.
A system registry is a database used by operating systems, for example Windows™ platforms. The system registry comprises information needed to configure the operating system. The operating system refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered.
An entity can comprise, but is not limited to, a file, an object, a class, a collection of grouped data, a library, a variable, a process, and/or a device.
The term “activity” is used herein to encompass an event which has occurred and/or an action which is to be performed.
There are currently a number of techniques which can be used to detect malicious activity in a processing system.
One technique comprises using database driven malware techniques which detect known malware. In this technique, a database is used which generally comprises a signature indicative of a particular type of malware. However, this technique suffers from a number of disadvantages. Generating and comparing signatures for each entity in a processing system to the database can be highly process-intensive task. Other applications can be substantially hampered or can even malfunction during this period of time when the detection process is performed. Furthermore, this technique can only detect known malware. If there is no signature in the database for a new type of malware, malicious activity can be performed without the detection of the new type of malware.
Another method that can be used comprises a dynamic detection technique to detect malicious activity in a processing system. In this technique particular events are recorded which are generally associated with the behaviour of malware. The recorded events are then analysed to determine whether the events are indicative of malicious activity. Thus, new types of malware can be detected if they perform behaviour which is generally considered malicious. However, this activity suffers from high inefficiency due to recording ‘false positives’. For example, if the user interacts with the operating system to cause a permission of a file to change, this event could be recorded and possibly analysed, thereby wasting processing resources.
Therefore, there exists a need for a method, system, computer readable medium of instructions, and/or a computer program product which can efficiently detect malicious activity in a processing system which addresses or at least ameliorates at least one of the problems inherent in the prior art.
The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.